Under the HIPAA Breach Notification Rule, covered entities must provide notification to affected individuals without unreasonable delay and in no case later than 60 days following the discovery of a breach of unsecured PHI. According to HIPAA, covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates must notify individuals affected by a breach of their PHI. The breach notification must be provided without unreasonable delay and no later than 60 days following the discovery of the breach. The 60-day timeframe starts from the date the breach is discovered, rather than when it occurred. The deadline starts once the covered entity or business associate becomes aware of the breach, so prompt detection and investigation are required.
| Notification Step | Description |
|---|---|
| Timing of Notification | Covered entities must provide notification of a breach without unreasonable delay and no later than 60 days after the discovery of the breach. |
| Content of Notification | The notification should include a description of the breach, the types of information that were involved, steps individuals can take to protect themselves, what the entity is doing to investigate and mitigate the breach, and how to get further information. |
| Description of the Breach | This should include what happened, the date of the breach, and the date it was discovered, if known. |
| Types of Information Involved | Types of unsecured protected health information involved in the breach may include full name, Social Security number, date of birth, home address, account number, etc. |
| Protective Steps for Individuals | The notification should suggest steps individuals should take to protect themselves from potential harm resulting from the breach. |
| Mitigation Efforts | A brief description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent future breaches should be included. |
| Contact Procedures | The notification should also include contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an email address, website, or postal address. |
| Notification to Secretary of HHS | If the breach involves more than 500 individuals, the entity must notify the Secretary of HHS and the media. If it involves fewer than 500 individuals, it must be reported to the Secretary of HHS annually. |
In addition to the breach notification requirements outlined in the HIPAA laws, some state laws may impose more stringent requirements regarding the notification of breaches involving PHI. These state laws can vary and may include stricter timelines, additional reporting obligations, or specific content requirements for breach notifications.
To ensure compliance with breach notification requirements, covered entities and their business associates must be aware of and adhere to both HIPAA regulations and any applicable state laws, which implies regular HIPAA training. This involves understanding the specific requirements of the state(s) where individuals affected by the breach reside or where the breach occurred.
It is advisable to consult the relevant state laws and seek legal advice to determine the specific breach notification obligations imposed by state laws in order to ensure full compliance. Staying informed about both federal and state regulations will help covered entities and their business associates fulfill their responsibilities in notifying individuals affected by PHI breaches in a timely and comprehensive manner.
